Ramblings on switching to dnsmasq from isc

Started by MildDisaster, May 24, 2025, 02:30:25 AM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
May 24, 2025, 02:30:25 AM
A couple nights ago I went ahead and tried to migrate over from ISC to Dnsmasq rather than KEA for reasons already stated in manual.

Had a few ( and still am ) issues in the process.

Had difficulty understanding VLAN setup.  After a while figured out that didn't need to use set/match tags for my setup (automagic interface matching, which somehow I missed in the first reading of opnsense's online doc).  Having the 'sort by interface' feature on the Hosts page tripped me up a bit.  I can guess why it's there, my guess it shouldn't be (tag only no ?) A concrete VLAN example in the docs would definitely help people experiencing temporary brain farts. 

I am running with Unbound forwarding local queries to dnsmasq as per the doc, but am occasionally experiencing timeouts, SERVFAIL and weird situations where FQDNs will resolve but shortnames won't.  Usually when the timeout occurs I see the requests in the Unbound logs, but not in dnsmasq. Occasional bursts of 'reply query is duplicate' which I wish was a bit more verbose, as I'm unsure if this is business as usual or something to panic about.

Also had issues where static mappings were not registering seemingly until the client requested a lease.  Which discovered while chasing down why aliases weren't working.

Noticed there are already a couple patches which may or may not address some of the things I'm experiencing (although my default assumption is always: operator error), but I can't say the transition to dnsmasq is something I'd regard as 'pleasant' or 'straightforward' or something to attempt while sitting down on a quiet relaxing evening with a bottle of some preferred libation.
May 24, 2025, 06:02:59 AM #1
I do not run DNSmasq. To help me understand the change, which reasons stated in the manual were persuasive for your particular case please?
Deciso DEC697
May 24, 2025, 07:52:00 AM #2
From :https://docs.opnsense.org/manual/dhcp.html
QuoteDnsmasq is the new default DHCP server in version 25.7 and supersedes ISC. It is recommended for small and medium sized setups up to a thousand clients. Read more about the deployment differences between KEA and Dnsmasq here: Dnsmasq

QuoteKEA is the correct choice for large HA (High Availability) setups with more than a thousand clients in many different DHCP ranges. Dnsmasq can be used for smaller HA setups as alternative, though it does not offer lease synchronization like KEA.


From : https://docs.opnsense.org/manual/dnsmasq.html
QuoteIt is considered the replacement for ISC-DHCP in small and medium sized setups and synergizes well with Unbound DNS, our standard enabled forward/resolver service.

There has been mention for some time in the patch notes about ISC's deprecation (it will apparently still be around for a while).  As for what persuaded me to do it now?  I had the time to do it. 
May 24, 2025, 08:12:41 AM #3
OK, thanks, no special reasons after the need to move away from ISC. My choice for my small installation was Kea. It has been flawless so I remain curious about other experiences.
Deciso DEC697
May 24, 2025, 08:57:35 AM #4
You can stick with KEA if you dont need any of the dnsmasq features. Essentially it does not matter which service you run if you only need basic DHCP.
Hardware:
DEC740
May 24, 2025, 11:50:26 AM #5
I think that is the oddity, Monviech. The manual suggests only large or HA or complex installations might need Kea yet for basic DHCP with some reservations it is simple to implement and just works. That hardly defines as large or complex. People can use what they please though looking at MildDisaster's description of their progress, might they have had an easier time with Kea? That is not clear to me.
Deciso DEC697
May 24, 2025, 01:00:41 PM #6
Quote from: Monviech (Cedrik) on May 24, 2025, 08:57:35 AMYou can stick with KEA if you dont need any of the dnsmasq features.
I've seen that the competition released a new version that has KEA with hostname registration in unbound. Is that also planned for opnsense? I ask because it feels wrong to have 2 DNS servers running at the same time just for DHCP hostname registration, which would be the case with dnsmasq.
May 24, 2025, 02:26:52 PM #7
You can also run only dnsmasq if you do not need a recurser or dot with Unbound. You can simply use it as forwarder to e.g. cloudflare or google.

It depends on the user how they want to configure their individual setup. There is lots of flexibility here.

Though this is the case with all of what Opnsense offers, just look at the complexity of firewalling and NAT. Some meticoulsly craft their rulesets, others will go for any any any.
Hardware:
DEC740
May 24, 2025, 02:49:35 PM #8
Is there a migration guide from ISC to either KEA or dnsmasq, rather than configuring either of these alternatives to ISC afresh as described in the guide?  I consider my DHCP setup rather basic, but since I am not familiar with either KEA or dnsmasq it will take me time to look into pros & cons of either and walk through the documentation.

At least, can I update 25.1.6_4 to 25.1.7 and continue using ISC just as it is configured for now, or will it be removed by the new DHCP package(s) and leave me with a broken configuration?
May 24, 2025, 03:51:22 PM #9
Quote from: fbantgat7 on May 24, 2025, 02:49:35 PMAt least, can I update 25.1.6_4 to 25.1.7 and continue using ISC just as it is configured for now, or will it be removed by the new DHCP package(s) and leave me with a broken configuration?

You can update safely. ISC is still very much there in 25.1.7.

I updated last night and nothing broke for me.
May 24, 2025, 05:57:09 PM #10
Quote from: grind on May 24, 2025, 01:00:41 PMI've seen that the competition released a new version that has KEA with hostname registration in unbound. Is that also planned for opnsense? I ask because it feels wrong to have 2 DNS servers running at the same time just for DHCP hostname registration, which would be the case with dnsmasq.

I believe KEA has dns registration for static hosts now?  I don't believe it did initially, or at least when I first looked ? Not sure if that is the case for hosts destined for 'dynamic' pools.

... another gripe was dnsmasq's use of the term static for range types, misleading when trying to intuit the purpose of a static range type; given the normalized meaning of the term makes them sound redundant.
May 24, 2025, 06:01:27 PM #11
Quote from: MeltdownSpectre on May 24, 2025, 03:51:22 PMYou can update safely. ISC is still very much there in 25.1.7.

I updated last night and nothing broke for me.

Thanks, this will give me some (more) time to look into the alternatives.
May 24, 2025, 06:51:47 PM #12
Quote from: MildDisaster on May 24, 2025, 05:57:09 PMI believe KEA has dns registration for static hosts now?
Static wouldn't be my problem, I also could add them to unbound manually. I meant dynamic leases.
May 24, 2025, 08:29:25 PM #13 Last Edit: May 24, 2025, 08:33:15 PM by grind
Just seen, that there already have been 3rd party efforts, but as the issue is closed with state "unplanned" it seems that the opnsense team has no interest in implementing it: https://github.com/opnsense/core/issues/7475
So I'll stick with ISC as long as it will be in plugins and hope that opnsense team will decide to add dynamic lease registering on opnsense at some point.
May 25, 2025, 12:20:36 AM #14 Last Edit: May 25, 2025, 01:47:58 AM by MildDisaster Reason: user error
Nothing to see here
Print
Go Up Pages1 2
User actions